The Washington Post on Monday reported that concerns about China’s growing cyber-warfare assault on U.S. infrastructure systems are justified, as hackers linked to the People’s Liberation Army (PLA) have “burrowed into the computer systems of about two dozen critical entities over the past year.”
Targets included a Hawaiian water utility, a port on the West Coast, an oil and gas pipeline, and the company that operates the power grid for the state of Texas.
None of these assaults, which were part of a campaign named “Volt Typhoon” by U.S. government cybersecurity experts, produced any damage or major disruptions – but that might not have been their purpose. Several sources portrayed Volt Typhoon as a reconnaissance effort, a string of probing attacks to test U.S. responses and set up more serious cyberattacks for the future, perhaps in the event of a major U.S.-China conflict, like a battle for Taiwan.
“It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agnecy (CISA) at the Department of Homeland Security (DHS).
Joe McReynolds of the Jamestown Foundation said the Volt Typhoon hackers were “trying to build tunnels” into U.S. infrastructure they could “later use to attack.” The hackers put a high priority on avoiding detection and hiding from efforts to trace their location.
“Until then you lie in wait, carry out reconnaissance, figure out if you can move into industrial control systems or more critical companies or targets upstream. And one day, if you get the order from on high, you switch from reconnaissance to attack,” McReynolds said.
Cybersecurity experts were disturbed by the intensity of Volt Typhoon activity around Hawaii, where the U.S. Pacific Fleet is based. Another significant Volt Typhoon infiltration occurred in Guam, the nearest U.S. territory to Taiwan. The cunning tactics employed by the hackers to remain undetected suggest they were laying the groundwork for serious future attacks, rather than trying to send a message by getting themselves noticed.
On the bright side, many of the Volt Typhoon targets were smaller companies that were not directly connected to vital infrastructure, which implies the hackers were “opportunistic” – they looked for easy targets, rather than hitting vital systems at will.
According to the Washington Post, President Joe Biden was supposed to bring up China’s hacking campaign during his four-hour meeting with Xi Jinping in San Francisco last month but, for unknown reasons, Biden backed away from raising the subject.
Microsoft Threat Intelligence issued a bulletin about Volt Typhoon in May, describing the culprits as “a state-sponsored actor based in China that typically focuses on espionage and information gathering.”
According to Microsoft, the Volt Typhoon campaign became active in the middle of 2021, with critical infrastructure in Guam among its earliest targets. The full target list spanned “the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”
Microsoft noted the hackers’ intention to “perform espionage and maintain access without being detected for as long as possible,” which jibes with what U.S. government and private security sources told the Washington Post on Monday.
Microsoft went into more detail about the “living off the land” strategy employed by the attackers, which boils down to stealing valid security credentials, depositing malevolent code into a targeted system, and camouflaging that code as normal software performing useful functions for the system. The Volt Typhoon hackers were very adept at making their communications with viral code blend into normal network traffic, so their presence was undetected.
CISA also published an advisory about Volt Typhoon and its “living off the land” tactics in May, including some helpful tips for detecting the Chinese malware. Many Volt Typhoon intrusions were eventually detected by searching for subtle, abnormal patterns in network activity.
John Hultquist, chief analyst for the Mandiant Intelligence cybersecurity firm, warned in October that Volt Typhoon was larger and more dangerous than originally suspected.
“This Volt Typhoon activity is a brand-new thing for them. We have not seen a lot of deliberate targeting in the critical infrastructure space from China. Occasionally, we’ll catch them probing into power, but this is a deliberate, long-term attempt to infiltrate a lot of critical infrastructure in a way that stays below the radar,” he said at a cybersecurity conference in Atlanta.
Hultquist concurred with National Security Agency (NSA) analysts who believed the Chinese hackers were “digging in for the possibility of creating a disruptive event, in the event of a wartime scenario.”
“This is especially concerning given how hard they’re working on their operational security, using botnets and zero-days to stay below the radar,” he said, classifying Volt Typhoon as an even greater threat than Middle Eastern cyberespionage intended to punish the U.S. for standing behind Israel after the October 7 Hamas atrocities.